Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local vulnerability #7

Closed
lukeecart opened this issue Aug 1, 2022 · 3 comments · Fixed by #9
Closed

Local vulnerability #7

lukeecart opened this issue Aug 1, 2022 · 3 comments · Fixed by #9
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@lukeecart
Copy link
Contributor

HTML injection is possible, Setting a <img src="X" onerror=alert(1);> will show an alert every time you refresh the page...

The created task will need to be sanitised by some package like https://www.npmjs.com/package/sanitize-html or https://github.com/cure53/DOMPurify
@Dharmik48 Dharmik48 added bug Something isn't working help wanted Extra attention is needed labels Aug 1, 2022
@Dharmik48
Copy link
Owner

Yeah, it is a very serious issue, we need to fix it ASAP!

Would you like to work on this?

@lukeecart
Copy link
Contributor Author

@Dharmik48 I have created a PR to close this.
I found when escaping the HTML that I was no longer to easily identify tasks. So if it's okay I have added an id to each task and identified by that instead.

@lukeecart lukeecart mentioned this issue Aug 1, 2022
Merged
@Dharmik48
Copy link
Owner

@Dharmik48 I have created a PR to close this. I found when escaping the HTML that I was no longer to easily identify tasks. So if it's okay I have added an id to each task and identified by that instead.

Yeah that's totally fine! Having an ID actually makes it better

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Sanitise HTML input & use id instead of title to identify task lukeecart/todo-list-app
2 participants
@lukeecart @Dharmik48